Loyola University Chicago

Information Technology Services

Rights and Responsibilities When Using Electronic University Resources

Information Technology Services (ITS) is the university organization that provides access to the university computing, networking, telephony, and information resources (hereafter referred to as the network) for Loyola students as well as for Loyola faculty and staff, and sponsored guests.

The University computer network consists of the university-wide backbone network, campus-wide backbone networks, local area networks (including public-access computing centers and labs), and many shared computer systems as well as personal desktop computers. Information Services works to insure that network rights are not violated and network responsibilities are followed.

Network resources also include:

  • Digital information such as files, records, and images, audio, video or textual material (including network account information, access and authorization codes) stored on or accessible through the network.
  • Computer and networking programs, programming languages, instructions or routines which are used to perform work on the network.

Individuals covered

This policy applies to all persons accessing and using the network through any facility of the University. These persons include students, faculty, staff, persons retained to perform University work, and any other person extended access and use privileges by the University given the availability of these resources and services, and in accordance with University contractual agreements and obligations.

Rights regarding access and use of network resources and services

Members of the University community and others extended access privileges by the University can expect certain rights as they use the network and its services.

  • Privacy: All members of the community have the right to privacy in their electronic mail when it is used for personal, scholarly and professional purposes—keeping in mind, that the primary use of university electronic mail system must be related to the University's instructional, research, health care and public service missions and to the person's educational, scholarly, research, service, operational or management activities within the University.

    However, it must be recognized that electronic communications are by no means secure, and that during the course of ordinary management of computing and networking services, network administrators may view a person's files including electronic mail. In addition, if an individual is suspected of violations of the responsibilities as stated in this document, that individual's right to privacy may be superseded by the University's requirement to maintain the network's integrity and the rights of others authorized to access the University network. Should the security of a computer or network system be threatened, a person's files may be examined under the direction of the Vice President/CIO, Information Technology Services.
  • Safety: While unwanted or unsolicited contact cannot be controlled on the network, persons accessing the network who receive threatening communications should bring them to the attention of Information Services and/or the appropriate authorities. All who access and use the network must be aware, however that there are services and material available through the network which might be considered offensive to groups of persons, and therefore those persons must take responsibility for their own navigation of the network.
  • Intellectual Freedom: The network is a free and open forum for the expression of ideas, including viewpoints that are strange, unorthodox, or unpopular. The network administrators place no official sanctions upon the expression of personal opinion on the network. However, such opinions may not be represented as the views of Loyola University Chicago.

Responsibilities regarding access and use of network resources and services

There are also responsibilities that must be met as part of the privilege of network access. All who access and use the University network are expected to live up to these responsibilities. If you knowingly violate a network responsibility, your network access may be suspended subject to University policies and procedures.

  • You are responsible for the use of your account. You may not give anyone else access to your account. You must not use a Loyola network account that was not assigned to you. You may not try in any way to obtain a password or access code for another person's network account. You may not attempt to disguise the identity of the account or machine you are using.
  • You are responsible for the security of your passwords and access codes. This includes changing them on a regular basis and making sure no one else knows it.
  • You cannot use any communications services, including electronic mail, or other resources, to intimidate, insult or harass others; to interfere unreasonably with an individual's work or educational performance, or to create an intimidating, hostile or offensive working/learning environment, especially within the context of university policies, i.e., Sexual Harassment: Faculty, Staff and Students (policy and procedure).
  • You must not use the University network resources to gain or attempt to gain unauthorized access to remote networks, including remote computer systems.
  • You must not deliberately perform an act which will disrupt the normal operation of computers, workstations, terminals, peripherals, or networks. This includes, but is not limited to, tampering with components of a local area network (LAN) or the high-speed backbone network, otherwise blocking communication lines, or interfering with the operational readiness of a network.
  • You must not run or install on any of the University computer systems, or give to another, a program which is intended to and likely to result in the eventual damage to a file or computer system and/or the reproduction of itself. This is directed towards, but not limited to, the classes of programs known as computer viruses, Trojan horses, and worms.
  • You must not attempt to circumvent access and use authentication, data protection schemes or exploit security loopholes without authorization.
  • You must respect authorial integrity, regarding intellectual integrity, including the use of personal, published or proprietary software, and refrain from plagiarism, invasion of privacy, and copyright violations. You must abide by the terms of all software licensing agreements and copyright laws. You must not make copies of or make available on the network copyrighted material, unless permitted by a license and authorized by system administrator.
  • You must not perform acts which are wasteful of computing resources or which unfairly monopolize resources to the exclusion of others. These acts include, but are not limited to, creating excessive or unnecessary network traffic, sending unauthorized mass mailings, initiating or facilitating electronic chain letters, creating unnecessary multiple jobs or processes, or producing unnecessary or excessive amount of output or printing. Printing excessive copies of any documents including resumes, thesis, and dissertations is also prohibited.
  • You cannot place on University computing and networking systems, any information which:
    • infringes upon the rights of another person.
    • gives unauthorized access to another network account or system.
  • You must not attempt to monitor another person's data communications, nor may you read, copy, change, or delete another persons’ files or software, without their explicit permission.
  • University computing, networking, telephony and information resources are provided to support the University's missions in instruction, research, health care and public service. These resources may not be used for commercial purposes without authorization from the Vice President for Information Services.
  • Any network traffic exiting the University is subject to the acceptable use policies of the network through which it flows, including the following:

Acceptable use policies for these networks are available on the Internet.

  • You cannot use University computing, networking, telephony and information services and resources to perpetuate an act that violates any state or federal laws or any regulation specified in the University policies, including but not limited to the Sexual Harassment: Faculty, Staff and Students (policy and procedures) as well as the University's standards of conduct, i.e., Student Handbook (students), Faculty Handbook (faculty), and Employee Handbook and Personnel Policies (staff).

EDUCOM Code regarding ethical and legal use of software

Loyola University Chicago abides by the EDUCOM Code (1987) regarding the ethical and legal use of software, i.e.,
EDUCOM Code on Software and Intellectual Rights. The EDUCOM code can be found on the Loyola University Chicago web site and elsewhere on the Internet. In addition, copies of the brochure entitled Using Software: A Guide to the Ethical and Legal Use of Software for Members of the Academic Community which explains the code are available at every campus computing center.

Non-compliance and sanctions

Information Services and other appropriate university authorities should be notified about violations of computer laws and network policies, as well as about potential loopholes in the security of its networks.

Disregarding this policy concerning the rights and responsibilities of those authorized to access and use the University computing, networking, telephony and information resources may result in the denial or removal of access privileges by system or network administrators, and may lead to disciplinary action under applicable University standards of conduct. Additionally, such disregard may be referred to other authorities for civil litigation and criminal prosecution under applicable state and federal statutes.

Appeal of an administrative decision

Individuals who disagree with an administrative decision may submit an appeal of the decision to the appropriate resource manager or systems administrator. From there, a student may submit an appeal to the Dean of Students, a faculty member through their department administration either to the Provost or to the Vice President for the Health Sciences, and a staff member through their management to the Vice President for Human Resources. Individuals must submit these appeals according to any rules and procedures issued by system administrators or component administrators.

Relationship of this policy with others

This policy supplements the Access and Acceptable Use of University Computing, Networking, Telephony, and Information Resources and the Access and Acceptable Use of Public Access Computing and Networking Facilities and Services which are available and can be found on the Loyola University Chicago web site.

The University reserves the right to change the information, requirements and procedures announced in this policy. This policy will continue to be in effect until a further revision is required and promulgated. Consult the campus computing center or the appropriate system administrator for information on other policies, procedures or directives that supplement this policy.

Suggestions and comments concerning this Rights and Responsibilities for the Access and Use of University Computing, Networking, Telephony and Information Resources Policy can be directed to the University Information Security Office at datasecurity@luc.edu.

History

  • December 11, 2004: Updated links
  • October 22, 2012: Changed outdated references, PCI Compliance Review
  • June 4, 2014: Annual review for PCI Compliance
  • May 12, 2015: Annual review for PCI Compliance, Correction of typographic errors
  • April 25, 2016: Corrected links, annual review for PCI Compliance
  • April 19,2017: Annual review for PCI Compliance
  • Sep 6, 2018: Annual review for PCI Compliance
  • Sep 24, 2019: Annual review for PCI Compliance
  • Version: 4.0

Scope:

This policy applies to all persons accessing and using 3rd party services capable of storing or transmitting protected or sensitive electronic data that are owned or leased by Loyola University Chicago, all consultants or agents of Loyola University Chicago and any parties who are contractually bound to handle data produced by Loyola, and in accordance with University contractual agreements and obligations.

Purpose:

The purpose of this policy is to ensure that Loyola Protected or Loyola Sensitive data is not inappropriately stored or shared using public cloud computing and/or file sharing services. Cloud computing and file sharing, for this purpose, is defined as the utilization of servers or information technology hosting of any type that is not controlled by, or associated with, Loyola University Chicago for services such as, but not limited to, social networking applications (i.e. all social media, blogs and wikis), file storage (drop box), and content hosting (publishers text book add-ons).  Acceptable and unacceptable cloud storage services are listed in the appendix.  All other cloud services are approved on a case by case basis.

Reason for Policy:

This policy endorses the use of cloud services for file storing and sharing 1) with vendors who can provide appropriate levels of protection and recovery for University information, and 2) with explicit restrictions on storage of University Protected Information.  While cloud storage of files can expedite collaboration, and sharing of information anytime, anywhere, and with anyone, there are some guidelines that should be in place for the kind and type of university information that is appropriate for storing and sharing using these services.  Even with personal use, one should be aware of the level of protection available for your data using such a cloud service.

Federal and State laws and regulations place a premium on institutions’ ability to understand the risks of IT services and systems and make appropriate determinations about risk tolerance.  Some cloud providers, for instance, might mine data for marketing purposes. Covered laws and regulations are listed in the Loyola University Data Classification Policy.

There are a number of information security and data privacy concerns about use of cloud computing services at the University. They include:  

  • University no longer protects or controls its data, leading to a loss of security, lessened security, or inability to comply with various regulations and data protection laws Loss of privacy of data, potentially due to aggregation with data from other cloud consumers
  • University dependency on a third party for critical infrastructure and data handling processes
  • Potential security and technological defects in the infrastructure provided by a cloud vendor
  • University has limited service level agreements for a vendor’s services and the third parties that a cloud vendor might contract with
  • University is reliant on vendor’s services for the security of some academic and administrative computing infrastructure

Policy:

The following table outlines the data classification and proper handling of Loyola data.

Data Classification

Cloud Storage

(See appendix for approved services)

Network Drive

(LUC ID and Password Required)

Local Storage

Loyola Protected

Not Allowed

Allowed

No special requirements, subject to any applicable laws

Not Allowed

Loyola Sensitive

Allowed but Not Advised

Requires Dept. Manager approval

Allowed

No special requirements, subject to any applicable laws

Allowed but Not Advised

Requires Dept. Manager approval

Loyola Public

Allowed

No special requirements

Allowed

No special requirements

Allowed

No special requirements

Use of central and departmental servers, where UVID authentication is required, is the best place to store all categories of Loyola data, particularly Loyola Protected data. It is never acceptable to store Loyola Protected data on any cloud service.  This includes data such as grades, social security numbers, private correspondence, classified research, etc.

 

Definitions:

Loyola Protected Data - Any data that contains personally identifiable information concerning any individual and is regulated by local, state, or Federal privacy regulations.

Loyola Sensitive Data - Any data that is not classified as Loyola Protected Data, but which is information that Loyola would not distribute to the general public.

Loyola Public Data - Any data that Loyola is comfortable distributing to the general public.

General Data Protection Terms:

The University must specify particular data protection terms in a contract with a cloud-computing vendor. In this way, the University creates a minimum level of security for University data. A minimum level of security ensures that the University data is kept confidential, is not changed inappropriately, and is available to the University as needed.

The University should consider the following contract terms to ensure a minimum level of information security protection: 

  • Data transmission and encryption requirements
  • Authentication and authorization mechanisms
  • Intrusion detection and prevention mechanisms
  • Logging and log review requirements
  • Security scan and audit requirements
  • Security training and awareness requirements

Compliance with Legal and Regulatory Requirements:

The University has many federal laws that it must follow, these include the Family Educational Rights and Privacy Act of 1974 (FERPA), the Health Insurance Portability and Accountability Act (HIPAA), and the Gramm-Leach-Bliley Act (GLBA).   

State laws may also affect a relationship with a cloud-computing vendor. For instance, the Illinois Personal Information Protection Act (IPIPA) requires that the University must follow rules about disclosing Social Security Numbers as well as specific security breach notification procedures. 

NOTE: A relationship with a cloud-computing vendor may also be impacted by private industry regulations. For example, departments at the University that accept credit cards also must follow the Payment Card Industry (PCI) Data Security Standard (DSS) issued by the major credit card companies. Finally, cloud-computing services that use, store, or process University data must also follow applicable University policies.  Such policies may include Information Technology Services policies and the University's data handling requirements.

Exit Strategy:

Cloud services should not be engaged without developing an exit strategy for disengaging from the vendor or service and integrating the service into business continuity and disaster recovery plans.  The University must determine how data would be recovered from the vendor.

Policy Adherence:

Failure to follow this policy can result in disciplinary action as provided in the Staff Handbook, Student Worker Employment Guide, and Faculty Handbook. Disciplinary action for not following this policy may include termination, as provided in the applicable handbook or employment guide.

Related Documents:

Acceptable Use Policy for Electronic University Resources

Ownership and Use of Data

Data Classification Policy

Electronic Security of Loyola Protected & Sensitive Data Policy

Appendix:

Listing of Cloud Storage Services

This listing is meant to serve only as a partial list of cloud storage services. Any cloud storage service not explicitly listed as approved should be assumed to be not approved.

Services Approved

for University Use

Services Not Approved

for University Use

Box – Using UVID only (until December 31, 2017

Dropbox

Microsoft OneDrive (Loyola Enterprise Account using UVID only)

iCloud

 

Microsoft OneDrive (Personal Account)

 

Amazon Cloud Drive

 

Google Drive

 

Box (after December 31, 2017)

Individuals who use enterprise OneDrive accounts for university work are responsible for ensuring that Loyola Sensitive information is not placed or stored in unapproved or inappropriate locations. When using OneDrive for institutional information, use it only for institutional information classified as Loyola Public or Loyola Sensitive. Pay special attention to access levels when sharing files and folders with other collaborators to ensure that data is not inappropriately shared.  You should not use your enterprise OneDrive account to collect, process, or store data covered by laws such as HIPAA, FERPA, FISMA, IPIPA, and GLBA. This does not include limited research datasets or fully de-identified information as related to the HIPAA Privacy Rule.

Contractual Expectations

The University will seek and endorse vendors who deliver solutions that meet the following requirements.

Both the University and cloud-computing vendor must declare the type of data that they might transfer back and forth because of their relationship. A contract must have clear terms that define the data owned by each party. The parties also must clearly define data that must be protected.

The contract must specifically state what data the University owns. It must also classify the type of data shared in the contract according to the University’s classification schema: Public, Sensitive, or Protected. Departments must exercise caution when sharing University-classified sensitive or protected data within a cloud computing service.

The contract must specify how the cloud-computing vendor can use University data. Vendors cannot use University data in any way that violates the law or University policies.

Any contractual agreement for cloud services should specify that the datastore must be located in onshore locations that are within the boundaries of the United States.

References:

This policy is a production of individual thought and a collaboration of multiple public works including portions of policies and guidelines from: Western Michigan University, EDUCAUSE, and Internet2 Consortium.

Questions about this policy:

If you have questions about this policy, please contact the University Information Security Office at DataSecurity@luc.edu.

History:

  • August 31, 2012: V 1.0, Initial Policy Created
  • September 13, 2012: V 1.0, Policy Approved
  • June 22, 2015: V 1.0, Annual review for PCI Compliance
  • July 13, 2017: V 1.1, Changed supported storage to OneDrive, Annual review for PCI Compliance
  • Sep 7, 2018: V1.1, Annual review for PCI Compliance
  • Sep 30, 2019: V 1.1 Annual review for PCI Compliance